Il giorno 13/feb/2013, alle ore 00:43, PJ Eby <[email protected]> ha scritto:
> On Tue, Feb 12, 2013 at 2:11 PM, Giovanni Bajo <[email protected]> wrote: >> Il giorno 12/feb/2013, alle ore 19:36, PJ Eby <[email protected]> ha >> scritto: >> >>> On Sat, Feb 9, 2013 at 7:54 PM, Giovanni Bajo <[email protected]> wrote: >>>> The problem with this approach is that Python standard library does not >>>> validate SSL certificates. So even if you force a urllib-based tool to >>>> access PyPI through https, it doesn't help at all in case of a MITM attack. >>> >>> FWIW, if someone provides a suitable *cross-platform* urllib >>> monkeypatch that does certificate validation, even if it only >>> validates PyPI's certificate, I'll add it to setuptools and issue a >>> patch release that uses it, and has its default index URL updated to >>> the https version. >> >> >> This is an option: >> https://gist.github.com/zed/1347055 >> >> it's not a monkeypatch, but it's a handler. You probably want to include a >> CA bundle (eg: the Mozilla one like pip is doing), and use that by default. > > Thanks! TBH, cert stuff makes my head hurt, which is why there's not > more of it in setuptools already: I hesitate to sprinkle a dash of > stuff I don't understand on top of other things and call the problem > solved. That seems like something of an antipattern to me. > > But I suppose I'll need to learn some of it at least, in order to be > able to build a CA bundle, unless I steal whatever pip does. I can > start on integrating this in the meantime at least, and hopefully can > get it out around the same time that PyPI's cert is updated. I'm > nonetheless hesitant to conclude that the problem of security on *non* > PyPI sites or handling redirects or all the rest of it will all be > resolved in a single patch release, though. I can help you by providing patches and/or reviewing them, let me know what you prefer. If you follow pip's patches, you're already on the right track. -- Giovanni Bajo :: [email protected] Develer S.r.l. :: http://www.develer.com My Blog: http://giovanni.bajo.it
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
